As cyber threats continue to evolve and become more sophisticated, traditional security models that rely on perimeter defenses are no longer effective. In response, a new security model called zero trust has emerged.
Zero trust refers to a security model that assumes that nobody, whether they’re inside or outside your organization, should be trusted by default. This means that all access requests to systems, applications, and data must be verified, authenticated, and authorized before being granted. The zero-trust model operates on the principle of least privilege. This means that users and devices are only given the minimum access required to perform their tasks.
In today's complex world where the threat landscape shifts like desert sands, designing applications with zero-trust principles can help reduce the risk of cyber-attacks. By designing applications that require authentication and authorization at every step, you can make sure that only the authorized user is accessing sensitive data or application features. What’s more, zero-trust application security is designed to be better equipped to detect and respond to threats promptly. So, it minimizes the damage caused by cyber-attacks.
In this article, we’ll explore some key strategies for embracing zero-trust application security. These include being wary of third parties, the benefits of zero-knowledge cryptography, and how to mitigate insider threats.
So, let’s get started.
Be wary of third-party services
Imagine that your application is a car.
The moment it leaves the factory, a myriad of security concerns appear from every angle. You have to consider the environment, the roads, pedestrians, cyclists, other cars, and the drivers of those cars. As a manufacturer you need to equip the car with safety measures for all the various threats such as speed controls, autobreaks, lane control systems, and many more besides. A peculiar example of such a check is the temperature and controllability test that modern cars perform - they’re able to tell you that the road may be slippery.
Well, the same principles can be applied to a mobile application. The application is launched into the wild in pretty much the same way.
Third-party services are an integral part of modern application development. But they are also a significant source of risk because they introduce additional attack surfaces and vulnerabilities that can be exploited by attackers. Third-party services often require access to sensitive data, and if these services were compromised then attackers would gain access to this data.
We wrote an article on this site where we considered the usage of cloud-based app security solutions to be too risky. We arrived at that conclusion because it means you’re handing over your valuable asset to third-party services and at that point it’s then completely out of your control.
One strategy for reducing your reliance on third-party services is to develop in-house services that can perform the same functions. This approach provides more control over the service and reduces the risk of compromises. That said, we recognize that developing in-house can be time consuming and costly. Especially for smaller organizations with limited resources.
Another strategy is to use open-source software instead of third-party services, as open-source software can be audited and reviewed by the community for security vulnerabilities. Open-source software also provides transparency, allowing developers to see how the software works and what data it has access to. This can help identify any potential security risks and allow developers to address them before deployment.
You should be equally prudent about the third-party components within your application. Modern apps consist of useful libraries covering navigation, image loading, dependency injection, networking and other aspects of a mobile application. Despite being a great help in speeding up the dev process, these libraries also bring the risk of supply chain attacks. This is where the target application gets infected indirectly through one of its dependencies. A worrying example of such an attack led to the potential leakage of around a third of the Chinese population’s contact details.
A big part of zero-trust application security is zero-knowledge cryptography.
This is a technique that allows two parties to exchange information without revealing any sensitive data to one another. In zero-knowledge cryptography, one party can prove to the other that they know a particular piece of information without actually revealing that information to the other party.
It’s a particularly useful technique for situations where two parties need to exchange sensitive information but don’t trust each other. Zero-knowledge cryptography can be used to authenticate users or devices without exposing any sensitive data or credentials to unauthorized parties.
The main advantage of zero-knowledge cryptography is its ability to provide strong authentication and verification of user identity, without compromising user privacy or exposing sensitive data. This makes it an excellent solution for use cases where privacy and security are critical, such as in financial transactions, healthcare, and identity verification.
Zero-knowledge cryptography also enables secure remote access to sensitive data and systems, without requiring users to reveal their passwords or credentials to third parties. This is particularly important in situations where users need to access data or systems from public or untrusted networks, such as over the internet or via mobile devices.
There are several technologies and protocols that can be used to implement zero-knowledge cryptography, including:
- Secure Comparator - allows two parties to compare a shared secret without revealing it to a potentially dishonest party (as well as to any third party that might be listening in).
- Secure Remote Password (SRP) - a protocol for secure password authentication that uses zero-knowledge proofs to verify the identity of users without revealing their passwords to the server.
- Password-less authentication - a cryptographic-based method for conveniently authenticating users without storing password material on the server and sending knowledge over the network. It is now generally available on Android and iOS, supported by both Google and Apple.
- Signal Protocol - a secure messaging protocol that uses zero-knowledge proofs to enable end-to-end encryption, without revealing the contents of messages to third parties. You can use it to build your own clients, leverage the crypto primitives, implement zero-knowledge credentials, and more.
- Zero-knowledge proof systems (ZKPS) - a family of cryptographic protocols that enable two parties to prove the validity of a statement without revealing any sensitive data or information.
Despite its many advantages, zero-knowledge cryptography also has several challenges and limitations that you should consider. One of the main challenges is the complexity and overhead of implementing zero-knowledge protocols, which can make them difficult and costly to deploy. This can be overcome through the use of open-sourced, highly-trusted implementations of zero-knowledge primitives.
Another challenge is the need for strong randomness and entropy, which is required to generate the cryptographic keys and nonces used in zero-knowledge proofs. Without strong randomness, zero-knowledge protocols can be vulnerable to attacks and exploitation.
Finally, zero-knowledge cryptography is not a fix for all security and privacy issues. While it can provide strong authentication and verification, it doesn’t protect against other types of attacks like side-channel attacks, malware, or social engineering.
Risks from end users and employees
Human error, carelessness, or malicious intent can also compromise the security of your application. For instance, a user might unwittingly download malware or fall victim to a phishing attack. And an employee could intentionally steal sensitive data or credentials.
Employee trustworthiness can be affected by a range of factors, such as the size and complexity of the organization, the type of data being accessed, and the level of privileged access granted to users or employees. A small organization with only a few employees might be able to trust its staff more than a large enterprise with thousands of employees spread across multiple locations and systems.
There have been numerous cases of employee breaches that have resulted in significant data breaches. For example, in 2020, Twitter suffered a breach that resulted in the compromise of numerous high-profile accounts. The breach was caused by a social engineering attack that targeted Twitter employees and resulted in the theft of employee credentials. Another example is the 2014 Sony Pictures breach, which was caused by an insider threat that involved the theft and dissemination of confidential data by a disgruntled employee.
Digital banks tend to be particularly paranoid about the principle of least privilege. And with good reason. Those that truly care about security have a range of tools and processes in place to make sure the personal data of their clients isn’t misused, or worse, leaked.
One strategy for reducing human risks from end users and employees is to implement strict access controls and authentication mechanisms. This includes using strong passwords, multi-factor authentication and, more importantly, role-based access controls to limit access to sensitive data and systems. Access controls are an effective way to manage user permissions and reduce the risk of unauthorized access. Role-based access controls (RBAC) assign permissions to users based on their role in the organization, limiting access to sensitive data and applications. You can see this in the App Store Developer console: you assign a person either content editor permission or billing permission, thus denying them the right to upload builds and reducing the amount of people able to perform a particular action.
Implementing multi-factor authentication (MFA) can also help protect against unauthorized access as it requires users to provide additional verification. This might be a code generated by a mobile app or a fingerprint scan. Many companies are leveraging one-time passwords (OTPs) either through applications like Google Authenticator, or by sending them through text messages.
Another strategy is to implement security training programs for employees to raise awareness of cyber security risks and best practices. Security training programs can help people to understand the importance of security and their role in protecting the organization's assets. They can also teach them how to recognize and protect themselves from social engineering scams, identify malicious links, and avoid downloading malware.
Security programs for employees shouldn’t only include training materials, but also the testing of phishing attacks. This not only helps you to identify the awareness levels of threats among employees but also helps you to improve your own internal security measures.
You should also consider homomorphic encryption. This is a method to enable access and transformations over encrypted data without the need to decrypt it in the first place. Given such a possibility exists, imagine a use case of an organization that wants to analyze customer data to identify trends and patterns but doesn't want to give their employees access to the raw data due to privacy concerns. With homomorphic encryption, the company can encrypt the customer data and then perform computations on the encrypted data without needing to decrypt it at all. This allows the organization to analyze the data without exposing the raw data to their employees, thereby reducing the risk of data breaches or misuse.
Another example would be searching over the encrypted data without exposing encryption keys to the client and the server side logic. You can read more about homomorphic encryption, here. The open-source implementation from Microsoft is also worth considering.
As far as your end users are concerned, keep in mind that they can be a huge asset in the fight against cybercrime. But only if you empower them to be.
And remember to develop your app with empathy for the end user. They’re now living in a world with thousands of data points pinging on their phone each day. It’s very easy for them to be tricked in a moment of distraction.
So, educate them to be suspicious first and foremost. And teach them how to recognize a bogus message from a genuine one from your company.
Embrace zero trust to future-proof your security posture
Organizations continue to operate in a world full of dangerous cyber threats, so it’s vital for developers and architects to design applications with security and privacy in mind. By not trusting third parties, relying on zero-knowledge cryptography, and adopting a least-privilege approach, you can reduce the risk of data breaches and cyber attacks.
That said, zero-trust architecture is not a one-size-fits-all solution. It requires careful consideration and planning to implement effectively. But by adopting these best practices, you can significantly enhance your security posture and future-proof your application’s security in an increasingly interconnected world.
Forward-thinking companies are already sold on zero trust - and it’s slowly becoming the industry-standard approach. Libraries and frameworks for zero-knowledge are publicly available, passwordless standards adopted by the biggest players like Google and Apple are becoming mainstream, and homomorphic encryption is being used more widely.
Designing applications with zero trust in mind requires a holistic approach that considers security and privacy at every stage of the development lifecycle. By following the best practices outlined in this article, you can make sure your applications are secure, reliable, and trusted in a world where trust is no longer a sure thing.
We recently launched a guide to mobile application protection. It’s there to help developers, CISOs, CTOs and Product Managers to understand the threats facing their mobile apps and what they can do to defend against attacks.